commit 1dae690008bef790eaa9b7e07566740420334a40
author David Pursehouse <dpursehouse@collab.net> Fri Sep 28 13:15:29 2018 +0900
committer Jonathan Nieder <jrn@google.com> Mon Jun 03 11:09:49 2019 -0700
tree 7a1d19e6f25c0ce21b20a54d1e71ec5bf37cffc5
parent 6b932e16b294be5953233180ab50b785dbfeb04e

Upgrade commons-compress to 1.18 and tukaani xz to 1.8

This version of commons-compress includes fixes for CVE-2018-1324 [1]
and CVE-2018-11771 [2].

Also update tukaani xz to 1.8, which is the version used by
commons-compress 1.18.

[1] https://nvd.nist.gov/vuln/detail/CVE-2018-1324
[2] https://nvd.nist.gov/vuln/detail/CVE-2018-11771

Change-Id: I4bf8ccc239445f20794844e6ea96005d7c8b9c77

WORKSPACE

diff --git a/WORKSPACE b/WORKSPACE
index 0d3f9ce..3e15dc2 100644
--- a/WORKSPACE
+++ b/WORKSPACE
@@ -315,8 +315,8 @@
 # When upgrading commons-compress, also upgrade tukaani-xz
 maven_jar(
     name = "commons-compress",
-    artifact = "org.apache.commons:commons-compress:1.15",
-    sha1 = "b686cd04abaef1ea7bc5e143c080563668eec17e",
+    artifact = "org.apache.commons:commons-compress:1.18",
+    sha1 = "1191f9f2bc0c47a8cce69193feb1ff0a8bcb37d5",
 )
 
 maven_jar(

tools/nongoogle.bzl

diff --git a/tools/nongoogle.bzl b/tools/nongoogle.bzl
index 2e84717..6788bc9 100644
--- a/tools/nongoogle.bzl
+++ b/tools/nongoogle.bzl
@@ -11,6 +11,6 @@
     # Transitive dependency of commons-compress
     maven_jar(
         name = "tukaani-xz",
-        artifact = "org.tukaani:xz:1.6",
-        sha1 = "05b6f921f1810bdf90e25471968f741f87168b64",
+        artifact = "org.tukaani:xz:1.8",
+        sha1 = "c4f7d054303948eb6a4066194253886c8af07128",
     )